Various return address corrupting techniques may be employed by malicious software for carrying out a return-oriented programming (ROP) attack. ROP is a method of hijacking the execution flow of the current process by exploiting a return instruction which, in many processor architectures, retrieves from the top of the stack the address of the next instruction to be executed, usually being the instruction following the corresponding call instruction within the calling routine. Thus, by modifying the return address on the stack, an attacker can divert the execution flow of the current process to an arbitrary memory location. Having hijacked the execution flow, the attacker can, for example, initialize the arguments and perform a library function call. This technique is known as “return-into-library.” In another example, the attacker can locate within the code segment several instruction sequences to be executed. This approach is known as “borrowed code chunks technique.”
A variety of methods can be exploited by the attacker for the initial stack corruption, which is also referred to as “stack pivoting.” For example, the buffer overflow method involves supplying more input data than the routine is expecting to receive, under the assumption that the input buffer is located on the stack.